Diving into Digital Health and Connected Devices
June 8, 2018
Jennifer MitchellCincinnati, OH(513) [email protected]
Geoffrey OberhausCincinnati, OH(513) [email protected]
DINSMORE & SHOHL LLP • LEGAL COUNSEL 1
Overview
DINSMORE & SHOHL LLP • LEGAL COUNSEL 2
➝ Cybersecurity and Privacy Landscape
➝ Managing Privacy and Data Security in the Digital Health Era
➝ Prosecution Case Studies of Combination Products
⥤ AliveCor Kardiaband™ → Apple Watch EKG
⥤ Abilify MYCITE® → Pill/Sensor/App – Compliance Monitor
➝ Understanding IVDs – Connecting Wearables to Electronic Medical Records
➝ Tackling Cybersecurity Challenges
DINSMORE & SHOHL LLP • LEGAL COUNSEL 3
Overview
DINSMORE & SHOHL LLP • LEGAL COUNSEL 4
Cybersecurity and Privacy Landscape
Healthcare Privacy and Security Overview
➝ The healthcare industry was the victim of 88% of all ransomware attacks in U.S. industries in 2016.
➝ 89% of studied healthcare organizations have experienced a data breach, which involved patient data being stolen or lost, over the past two years
➝ Ransomware attacks on healthcare organizations
will quadruple by 2020.
Healthcare Privacy and Security Overview Health data breaches are costing the U.S. healthcare
industry an estimated $6.2 billion
⥤ Notification Costs
⥤ Organizing the incident response team
⥤ Conducting investigations and forensics to determine the root cause of the data breach
⥤ Determining the victims of the data breach
⥤ Lost Business
⥤ Legal services for defense
⥤ Legal services for compliance
⥤ Investigations & Enforcement fines/penalties
Healthcare Privacy and Security Overview➝ The healthcare industry is the most targeted sector
⥤ Personal medical information remains one of the most valuable types of data
⥤ Personal health information is 50 times more valuable on the black market than financial information.
⥤ Stolen patient health records can fetch as much as $60-100 per record or more.
⥤ 2014 FBI warning to healthcare providers
The healthcare the industry "is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely."
Healthcare Privacy and Security OverviewThe privacy and security of healthcare data in the U.S. is governed by a patchwork of federal and state regulations and standards.
➝ HIPAA – Applies to “Protected Health Information”
➝ 42 CFR Part 2 – Regulates the confidentiality of substance use records
➝ FTC Act - Applies to “unfair or deceptive acts or practices,” including failure to live up to privacy promises to consumers
➝ State Laws
➝ GDPR
HIPAA OverviewThe Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Made up of two rules:
➝ Privacy Rule – Enacted in April 2003 and protects all “PHI” (Protected Health Information), which includes just about any piece of information that might possibly identify a person, in any form, including oral information.
➝ Security Rule – Enacted in April 2005 and mandates various safeguards for Electronic PHI (or “ePHI”), training and written security program.
Applies to all “Covered Entities” and their “Business Associates”
HIPAA Security RuleMandates protections and safeguards for electronic PHI (“ePHI”)
➝ Administrative
➝ Physical
➝ Technical
The Security Rule provides guidance as to the nature and function of each individual safeguard.
42 CFR Part 2
Applies to:➝ Part 2 Program: a federally assisted program providing
substance use disorder diagnosis, treatment, or referral for treatment
Requires:➝ Formal policies and procedures to protect against unauthorized
uses and disclosures of electronic records:
⥤ (i) Creating, receiving, maintaining, and transmitting such records;
⥤ (ii) Destroying such records, including sanitizing the electronic media on which such records are stored, to render the patient identifying information non-retrievable;
⥤ (iii) Using and accessing electronic records or other electronic media containing patient identifying information; and
⥤ (iv) Rendering the patient identifying information non-identifiable in a manner that creates a very low risk of re-identification (e.g., removing direct identifiers).
The FTC ActFTC Enforcement Authority
➝ Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45
⥤Prohibits “unfair or deceptive acts or practices in or affecting commerce”
State Laws
State Data Breach Notification Laws➝ Forty-eight states, the District of
Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information.
⥤Alabama and South Dakota are the only states without a data breach notification law.
State Laws
State Data Breach Notification Laws
➝ Provisions are often broader in scope than other privacy laws
⥤ Usually cover “personal information” (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.)
⥤ Usually refer to “breach of the security of a system”…but some include paper form of PHI.
➝ Time periods for notification may be much shorter than other laws, such as HIPAA
⥤ 45 days in Ohio
⥤ 15 days in California
⥤ New Mexico most recently enacted in June 2017
Costs of a Data Breach
Legal frameworks provide for different fines and penalties in the event of a breach
➝ Civil Penalties
⥤ HIPAA violations range from $112 to $55,910 per violation, based on level of knowledge; $1.67 million mad/year (adjusted for inflation)
⥤ FTC can impose fines up to $40,654 (adjusted for inflation) per violation
➝ Criminal
⥤ HIPAA provides for criminal fines up to $250,000 and imprisonment of up to 10 years.
➝ HIPAA Penalties –⥤ Healthcare industry has highest cost per capita in event of a data breach
• $402 compared to overall mean of $221⥤ However, for “consumer” wearable industry, costs are more in line with average
• $218 per record
➝ GDPR Penalties –⥤ Breaches resulting from willful misconduct or gross negligence can result in fines of the greater
of €20 million or 4% of gross global revenue penalties
DINSMORE & SHOHL LLP • LEGAL COUNSEL 16
Costs of a Data Breach
Healthcare Cybersecurity TipsHHS Top 10 tips for Cybersecurity in Healthcare
1. Establish a security culture
2. Protect mobile devices
3. Maintain good computer habits
4. Use a firewall
5. Install and maintain anti-virus software
6. Plan for the unexpected
7. Control access to PHI
8. Use strong passwords and change them regularly
9. Limit network access
10. Control physical access
Healthcare Cybersecurity TipsHealth Care Industry Cybersecurity Task Force – Six Security Imperatives:
⥤ Define and streamline leadership, governance, and expectations for health care industry cybersecurity
standardized risk assessments
⥤ Increase the security and resilience of medical devices and health IT
two factor authentication where a health care provider is accessing EHR outside the clinical setting
⥤ Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities
identify a cybersecurity leader in each organization
certify higher education programs in cybersecurity
⥤ Increase health care industry readiness through improved cybersecurity awareness and education
⥤ Identify mechanisms to protect research and development efforts and intellectual property
⥤ Improve information sharing of industry threats, weaknesses, and mitigations
have a cybersecurity incident response plan which is reviewed and tested annually
Managing Privacy in the Digital Health Era
DINSMORE & SHOHL LLP • LEGAL COUNSEL 19
EXAMPLE PHOTO & TEXT
DINSMORE & SHOHL LLP • LEGAL COUNSEL 20
Traditional Modalities of Telehealth Synchronous, Real-Time
➝ Live, two-way interaction between a patient and a health care provider using audiovisual technology
Asynchronous, Store-and-Forward
➝ Transmission of a patient’s recorded health history through a secure electronic communication system to a health care provider
➝ E.g. services that transmit medical data, x-rays, images, lab results
Remote Patient Monitoring
➝ Collection of a patient’s personal health and medical data via electronic communication technologies. Once collected, the data is transmitted to a provider at another location, with continual tracking by original provider
mHealth
➝ Wearable devices/smart phones to track health and wellness
DINSMORE & SHOHL LLP • LEGAL COUNSEL 21
mHealth: “[T]he use of mobile and wireless devices to improve health outcomes, healthcare services, and health research.”
By 2020, worldwide mobile health market expected to grow to 49 billion [Grand View Research Study – August 2015].
Purposes:
Track food intake, physical activities, food, weight
Communicate with provider
Medical monitoring
Legal Issues: HIPAA, FDA, FTC, FCC, COPPA, GDPR
FTC Interactive Tool for Developers of Mobile Health Apps (OCR, FDA)
DINSMORE & SHOHL LLP • LEGAL COUNSEL 22
Mobile Health Applications (mHealth)
DINSMORE & SHOHL LLP • LEGAL COUNSEL 23
Types of PII/PHIProtected
• Name (in conjunction with other data elements)• Date of Birth• Full Face Photographic • Account Numbers (General)• Health Plan Beneficiary Numbers• Certificate/License Numbers• Drug Enforcement Administration Number • Vehicle Identifiers and Serial Numbers• Signature
Highly Protected
• Health Information• Social Security Number• Passport Information• Financial Data• Sensitive Personal Information
• e.g., racial or ethical origin, political opinion, religious belief, trade union membership, health, sexual preference
• Drivers License Number• Medical Record Numbers• Biometric Identifiers• Physical Characteristics• Account Numbers (e.g., Credit Card)
* Above is an illustrative list that can be used in data classification, not exhaustive.** Combination of any of the terms above could be classified as PII.
DINSMORE & SHOHL LLP • LEGAL COUNSEL 24
Understanding Complex Global Regulatory EnvironmentRegion Jurisdiction # Source
Canada National 1Canada National – Personal Information Protection and Electronic Documents Act (PIPEDA)
* Alberta and BC also have provincial data protection acts (PIPA Alberta and PIPA BC respectively), as well as a national act covering personal data in the Private Sectors.
Europe European Union 2 European Union – CURRENT Data Protection Directive (Directive 95/46/EC)
3 European Union – May 25, 2018 General Data Protection Regulation (GDPR)
Japan National 4 Japan National – Act on Protection of Personal Information (APPI)
Uruguay National 5 Uruguay National – Data Protection Act Law No 18.3331 (2008); Decree No. 414/009 (2009)
US
Federal
United States – Federal – Health Insurance Portability & Accountability Act (HIPAA) Privacy Rule
United States – Federal – Health Insurance Portability and Accountability Act (HIPAA) Security Rule
6 United States – Federal – Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act
7 United States – Federal – Fair Credit Reporting Act (FCRA)8 United States – Federal – Junk Fax Prevention Act (JFPA)9 United States – Federal – Telephone Consumer Protection Act (TCPA)
California
10 United States – Federal – Children’s Online Privacy Protection Act (COPPA)
11 United States – California –Civil Code 1798.29 and 1798.82-1798.84 (SB 1386) (Breach Notification)
12 United States – California –Civil Code 1798.85 (SSN Law)
13 United States – California –Civil Code 1798.91 (Senate Bill No. 1633 - An act to add Title 1.81.25 (commencing with Section 1798.91))
14 United States – California –Civil Code 56.11 15 United States – California –Confidentiality of Medical Information Act (CMIA)
Connecticut 16 United States – Connecticut – General Statutes 42-47017 United States – Connecticut – Public Act 08-167
Massachusetts 18 United States – Massachusetts – 201 CMR 17.00
New Jersey19 United States – New Jersey – NJSA 56:8-16220 United States – New Jersey – NJSA 56:8-16321 United States – New Jersey – NJSA 56:8-164
Texas22 United States – Texas – Health and Safety Code CHAPTER 18123 United States – Texas – Business and Commerce Code CHAPTER 50124 United States – Texas – Business and Commerce Code CHAPTER 521
Corporate Standards 25 Intra-Company Agreements, Binding Corporate Rules (BCRs), Privacy Shield CertificationsStandards 26 AICPA Generally Accepted Privacy Principles (GAPP)
DINSMORE & SHOHL LLP • LEGAL COUNSEL 25
Digital Health – Mobile Device Delivery Model
DINSMORE & SHOHL LLP • LEGAL COUNSEL 26
Data Privacy Analysis for Digital Health
DATAPRIVACYANALYSIS
REGULATORY
CONSIDERATIONS
OTHERCONSIDERATIONS
What data is being collected?
Who is collecting?
Where is it going?
How is it being used?
Who has access to it?
Vendor Due Diligence Information Security
Assessment Privacy Assessment
Contracts Data Sharing Agreements Data Ownership Agreements Responsible Party for
Regulatory Compliance Cross-Border Agreements
Standard Contract Clauses Data Protection Appendices
Health data → HIPAA regulatory enforcement
Global data processing → cross-border considerations (e.g. GDPR and notice/consent obligations)
individual’s rights to the data private right of action under state, national or
territorial national law Agency enforcement (FTC activity increasing
to ensure privacy/security under state law)
DINSMORE & SHOHL LLP • LEGAL COUNSEL 27
Consider Privacy in the DesignPrivacy by design is an approach to projects that promotes privacy & data protection compliance from the start.
• Business – Legal – IT Cross Functional Collaboration• Strategy• Selection• RFP• Contract Negotiations
ANALYZE & COLLABORATE
• Ongoing analysis of developing legislation, policy or strategies that have privacy implications
• Flexibility in contracts (e.g., term/termination, right to amend• Embark on data sharing intiatives• Use data for new purposes
AGILITY & FLEXIBILITY
• Vet new technology for compatibility with system requirements
• Build new IT systems for storing or accessing personal data
• Map data collection
PRIVACYPROCESSES
➝ Expected growth in Medical IoT → $117B revenue by 2020 and $536.6B by 2025
➝ According to McKinsey Data Valuations Legislative and Regulatory Recap
⥤ “Big Data” Analytics Value → $9B to U.S. Public Health Surveillance⥤ “Big Data” Analytics Value → $300B to U.S. Healthcare Market
➝ Over 200 companies engaged in digital health technology development since 2010
➝ Medical IoT devices generate data which can create actionable insights and turn these into
revenue
➝ Opportunity for organizations to improve quality of care and maximize efficiency based on
insights gained from data generated from connected devices, software, and applications
➝ BUT organizations have yet to derive significant value from digital health because, in part,
of the uncertain and complex privacy regulatory environment
DINSMORE & SHOHL LLP • LEGAL COUNSEL 28
Maximize the Value of Data Value through Connectivity
HIPAA Restrictions➝ HIPAA only applies to medical devices (as defined by the FDA) that send data directly to a covered entity:
⥤ Patients own their own Health Information⥤ State law may assign ownership to records that contain Health Information
➝ HIPAA does not apply for most other wearables, personal “medical” devices, and other health related platforms used by consumers: ⥤ Consumers generally own this data, but may be modified by the manufacturer’s Terms of Use ⥤ Most emerging technology Terms of Use have broad use rights for the vendor, even if they don’t change the
ownership. Vendors own derivative works created from the exploitation of the licensed data
⥤ May include “social media” applications like FitBit, Jawbone, etc.
➝ HIPAA restricts covered entity from selling identifiable PHI or using PHI for marketing communications
without authorization from the individual
➝ Sale of de-identified PHI is permissible
DINSMORE & SHOHL LLP • LEGAL COUNSEL 29
Regulatory Impact: Data Ownership vs. HIPAA and GDPR Restrictions
GDPR Restrictions➝ GDPR, unlike HIPAA, covers all personal data defined as any data from which a living individual is identified or identifiable,
whether directly or indirectly. GDPR applies to any organization engaged in certain personal data processing activities
⥤ EU data subjects have specific rights to their information
⥤ GDPR, although targeting personal data, creates “sensitive personal data” classification that imposes certain requirements for this data category
⥤ State law may assign ownership to records that contain Health Information
➝ GDPR applies to all wearables, personal “medical” devices, and other health related platforms used by consumers assuming organization engaged in data collection falls within territorial scope.
⥤ Consumers own this data and individuals rights may not be modified by manufacturer’s Terms of Use
⥤ Strict notice requirements mandated by GDPR to ensure transparency of data
⥤ If data processing is done based on consumers’ consent, individual may revoke consent at anytime
⥤ Consumer may exercise right to be forgotten and request deletion of data
⥤ Consumer may exercise right to move data based of data portability requirement
⥤ GDPR’s data ownership rights create issues for data ownership for digital health participants
➝ GDPR does not follow HIPAA de-identified standard, but anonymized personal data is deemed out of scope for GDPR and may be used freely
➝ Sale of personal data to party covered by GDPR means third party must comply with GDPR (via Data Controller’s obligations under law)
DINSMORE & SHOHL LLP • LEGAL COUNSEL 30
Regulatory Impact: Data Ownership vs. HIPAA and GDPR Restrictions
On February 9, 2015, the FDA issued Guidance on mobile medical apps:➝ “The FDA is issuing this guidance document to inform manufacturers, distributors, and other entities
about how the FDA intends to apply its regulatory authorities to select software applications intended for use on mobile platforms.”
➝ “The FDA intends to apply its regulatory oversight to only those mobile apps that are medical devices and whose functionality could pose a risk to a patient’s safety if the mobile app were to not function as intended.”
DINSMORE & SHOHL LLP • LEGAL COUNSEL 31
Mobile Medical Applications and FDA
When do FDA regulations apply?
➝ “When the intended use of a mobile app is for the diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease, or is intended to affect the structure or any function of the body of man, the mobile app is a device.”
Definition of “Mobile Medical App”:
➝ Mobile app that meet statutory definition of “device” and are intended and either are intended:
⥤ To be used as an accessory to a regulated medical device; or
⥤ To transform a medical platform into a regulated medical device.
Mobile Apps FDA does not intend to enforce requirements:
➝ Mobile apps that help patients self-manage their diseases without providing specific treatment, provide easy access to information related to patients’ treatments; automate simple tasks for providers; help patients document, show, or communicate potential medical conditions to health care providers.
Applicable regulatory requirements that apply: Quality system regulation, labeling, premarket notifications, registration, listing, and others.
DINSMORE & SHOHL LLP • LEGAL COUNSEL 32
Mobile Medical Applications and FDA
Prosecution Case Studies of Combination Products
AliveCor Kardiaband™ Apple Watch EKG
DINSMORE & SHOHL LLP • LEGAL COUNSEL 33
➝ AliveCor Kardiaband–⥤ Personal EKG & HRV meter
DINSMORE & SHOHL LLP • LEGAL COUNSEL 34
Case Study #1- AliveCor
DINSMORE & SHOHL LLP • LEGAL COUNSEL 35
AliveCor Kardiaband- EKG (1)FDA Cleared 11/30/17 – 1st Medical device accessory for Apple Watch – Identifies possible Atrial Fibrillation (Afib) events
Patent Portfolio*➝ 16 Patents / 7 Applications / 2 Abandoned
⥤ 14 Families⥤ 4 Filings (3 patents / 1 application)
• ~25% of Current Portfolio⥤ 1 filing PCT-PPH (Patent Prosecution Highway)
• Used Korea as Searching Patent Authority (because of their speed)
⥤ Very few “Alice” 101 Rejections – 2
• 1 overcome – Now US 9,247,911
• 1 under Final Action – 15/421,107
➝ AliveCor was not an overnight success:⥤ Brains behind company (David Albert) has been working at this for 30+ years⥤ Albert started with HRM in 1970’s (while in Medical School)
⥤ Critical mass started in 2007, with release of iPhone, accelerated with release of Apple Watch. DINSMORE & SHOHL LLP • LEGAL COUNSEL 36
AliveCor Kardiaband- EKG (2)
Key Prosecution Take-Aways:
➝ Utilize for speed if it makes sense.⥤ https://www.uspto.gov/patent/initiatives/usptos-prioritized-patent-examination-program⥤ Original non-provisional or RCE.⥤ “Final Disposition” (Final or NOA) promised in 12 months. ⥤ Max. 4 independent claims, and 30 total claims.⥤ $4,000 Fee ($2,000 small entity).⥤ Cannot file EOT when responding, or TrackOne status removed.
• [nudge-nudge, wink-wink].
DINSMORE & SHOHL LLP • LEGAL COUNSEL 37
AliveCor Kardiaband- EKG (3)
Prosecution Case Studies of Combination Products
Abilify MYCITE® Pill/Sensor/App – Compliance Monitor
Thanks to Wes Nicolas of Novo Nordisk
DINSMORE & SHOHL LLP • LEGAL COUNSEL 38
➝ Bilify MYCITE®⥤ Patient Compliance tracker
• Modified pill• Sensor patch• App
DINSMORE & SHOHL LLP • LEGAL COUNSEL 39
Case Study #2- Abilify
➝ Background: ⥤ Abilify® from Otsuka first approved in 2002 to treat schizophrenia, bipolar disorder, and depression.
⥤ To facilitate patient compliance, Otsuka modified Abilify pill to contain IEM (ingestible event marker) using technology from Proteus, including wearable patch sensor, and app interface, submitted to FDA in 2015.
⥤ Complete Response letter in April 2016. Resubmitted May 2016.
⥤ FDA Approved: 11/13/2017
DINSMORE & SHOHL LLP • LEGAL COUNSEL 40
Case Study #2- Abilify
DINSMORE & SHOHL LLP • LEGAL COUNSEL 41
Patent Portfolio*➝ 31 Orange Book Listed Patents
⥤ 9 Otsuka patents (provided drug) ⥤ 22 Proteus patents (provided ingestible “device” and “data” thereof)
➝ 15 Patent Families
➝ “Special” Prosecution:⥤ 3 of 31 filed at USPTO as PCT-PPH (~10% of portfolio)
• Used Korea as searching Patent Office (because of their speed)⥤ 1 Proteus application used old USPTO Pilot program “pump and dump” to speed examination
➝ Method of using device claims provided many FDA use codes! (next slide)
DINSMORE & SHOHL LLP • LEGAL COUNSEL 42
*Based on FDA Orange Book Search on 1/17/2018
DINSMORE & SHOHL LLP • LEGAL COUNSEL 43
Various Use Codes applicable to the “device”:
DINSMORE & SHOHL LLP • LEGAL COUNSEL 44
Use Code Drill Down- A Look at Patent & Label Text:
Closest Patent text - U.S. 9,268,909:Claim 1.) A method of stabilizing battery voltage of a battery device while optimizing power delivered to a receiver during communication of a broadcast packet, the method comprising:
receiving, by a logic circuit, a broadcast packet having a predetermined number of bits for communication by a controllerto a receiver located remotely from the controller;
determining, by the logic circuit, a number of cycles in which a sampled battery voltage is either greater than or less than or equal to a nominal battery voltage over a first subset of the predetermined number of bits of the broadcast packet; and
performing either a tune-up or tune-down procedurebased on the number of cycles counted in which the sampledbattery voltage is not equal to the nominal battery voltage for more than one half of a total number of cycles counted.
Closest Label text (p. 27): 11 Description…An aripiprazole tablet with an imbedded Ingestible Event Marker (IEM) sensor. The IEM is a 1 mm sized sensor …[u]pon contact with gastric fluid, magnesium and cuprous chloride within the IEM react to activate and power the device. The IEM then communicates to the MYCITE Patch…
Key Prosecution Take-Aways:
➝ Patient Prosecution Highway (PPH and PCT-PPH)
⥤ Utilize allowance(s) in US other jurisdictions to speed up US examination.
⥤ May require “Petition to Expedite under 1.182” to get PPH started.
➝ Strengthen nexus between FDA and device patents by:
⥤ Claiming method (of using device) to provide FDA use codes for OB listing.
DINSMORE & SHOHL LLP • LEGAL COUNSEL 45
Understanding IVDs – Connecting Wearables to Electronic Medical Records
DINSMORE & SHOHL LLP • LEGAL COUNSEL 46
➝ Convergence of IVD Devices, Wearables, Monitors and Apps
⥤ The wearable medical devices market is expected to reach $14.41 Billion by 2022 up from $5.31 Billion in 2016
➝ Common Connected Medical Devices
⥤ Physiological Monitors: weight scales, blood pressure monitors, EKG, glucose monitors, heart rate monitors,
pulse oximeters, and more
⥤ IVD Devices: biopsy equipment, blood analysers, virus detection systems and immuno-assays
⥤ Wearables: activity trackers, sleep apnea detectors, medication compliance monitors, EKG, heartrate monitors
⥤ Implants: glucose monitors, pacemakers, hearing devices, and more
DINSMORE & SHOHL LLP • LEGAL COUNSEL 47
Connected Healthcare
DINSMORE & SHOHL LLP • LEGAL COUNSEL 48
Connected Healthcare
DINSMORE & SHOHL LLP • LEGAL COUNSEL 49
Connected Healthcare
DINSMORE & SHOHL LLP • LEGAL COUNSEL 50
Use Case #1- Blood Pressure Monitor
DINSMORE & SHOHL LLP • LEGAL COUNSEL 51
Use Case #1- Blood Pressure Monitor
DINSMORE & SHOHL LLP • LEGAL COUNSEL 52
Use Case #2- Fitness App
DINSMORE & SHOHL LLP • LEGAL COUNSEL 53
Use Case #2- Fitness App
DINSMORE & SHOHL LLP • LEGAL COUNSEL 54
Use Case #2- Fitness App
DINSMORE & SHOHL LLP • LEGAL COUNSEL 55
Connected Healthcare
Tackling Cybersecurity Challenges
DINSMORE & SHOHL LLP • LEGAL COUNSEL 56
DINSMORE & SHOHL LLP • LEGAL COUNSEL 57
Do you know where your data is?
DINSMORE & SHOHL LLP • LEGAL COUNSEL 58
Do you know where your data is?
Strava Fitness App Can Reveal Military Sites, Analysts Say – NY Times, Jan. 29, 2018
FDA Issues Final Guidance on Device Security➝ Actively monitor and detect cybersecurity vulnerabilities in their devices;
➝ Understand, assess and detect the level of risk a vulnerability poses to patient safety;
➝ Establish a process for working with cybersecurity researchers and other stakeholders to receive
information about potential vulnerabilities (known as a “coordinated vulnerability disclosure
policy”)
➝ Deploy mitigations (e.g., software patches) to address cybersecurity issues early, before they can be
exploited and cause harm.
⥤ https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/U
CM482022.pdf
DINSMORE & SHOHL LLP • LEGAL COUNSEL 59
Connected Device Security
Hacking Threat Prompts FDA to Issue Pacemaker Recall
➝ 500,000 RF –enabled pacemakers could be hacked
➝ The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated
with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these
vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient's
physician) to access a patient's device using commercially available equipment,” the agency added.
“This access could be used to modify programming commands to the implanted pacemaker, which
could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”
DINSMORE & SHOHL LLP • LEGAL COUNSEL 60
What could go wrong?
Developer Warns Doctors, Patients About Hacking Threat
➝ Johnson & Johnson warns that digital insulin pumps could be hacked
➝ Possibly could deliver fatal does of insulin to a user
➝ "The probability of unauthorized access to the OneTouch Ping system is extremely low," the
company said in letters sent to doctors and roughly 114,000 patients in the U.S. and Canada. "It
would require technical expertise, sophisticated equipment and proximity to the pump, as the
OneTouch Ping system is not connected to the internet or to any external network."
DINSMORE & SHOHL LLP • LEGAL COUNSEL 61
What could go wrong?
DINSMORE & SHOHL LLP • LEGAL COUNSEL 62
What could go wrong?
DINSMORE & SHOHL LLP • LEGAL COUNSEL 63
Future Uses of Your Data
DINSMORE & SHOHL LLP • LEGAL COUNSEL 64
Future Uses of Your Data
Jennifer MitchellCincinnati, OH(513) [email protected]
Geoffrey OberhausCincinnati, OH(513) [email protected]
DINSMORE & SHOHL LLP • LEGAL COUNSEL 65
Questions?